Contributor:
Kat Kizior | Risk Advisory Manager
An entity that receives grant funding bears significant responsibility. Although these funds are often perceived as “free and clear,” they come with strict regulations that the recipient must follow. Compounding upon this challenge, any organization that expends more than $750,0001 in federal funds must undergo a single audit. Regardless of the amount of funding you receive or expend, there is always a possibility for an audit from a funder.
A robust internal control structure is crucial and required by Uniform Guidance. It equips recipients with the necessary tools for better grant compliance and audit results. The COSO Integrated Framework offers essential components and principles to achieve this.
The “Internal Control-Integrated Framework” developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was first introduced in 1992 and has since been updated in 2013 and 2017. While this particular framework is not required to be adopted by state and local governments, entities across many industries have found the COSO framework to be helpful in adopting a proper internal control structure at their organization.
As part of any single audit, you may have had auditors asking about your COSO framework or more specifically your control environment, risk assessment, information communication, monitoring and specific control activities. If a COSO framework is not required, why would anyone be asking about it? That’s because when administering grants under Uniform Grant Guidance Title 2 Part 200 Subpart D § 200.303 Internal controls, this section requires that entities:
“Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.”
It then goes on to explain that those internal controls should be in compliance with one of two frameworks, in which COSO is one of those frameworks described. While a “should” in regard to Uniform Grant Guidance is a best practice and not a requirement, having an internal control system in place is a requirement and the COSO framework is just one of the most commonly used frameworks around. While an entity may not formally adopt the COSO framework in its entirety, to establish and maintain a good system of internal controls an entity should have people, processes, and controls in place that they can clearly articulate to an auditor or a federal agency should they be chosen to be audited.
A Deeper Dive Into the COSO Integrated Framework
The COSO Integrated Framework is widely regarded as the leading model for effective internal controls due to its comprehensive and systematic approach. The framework is structured around five interrelated components, each of which is supported by specific principles. This structured approach enhances its applicability and adaptability to a wide range of organizations and industries. Let’s explore why the COSO framework is considered a top model.
Thorough Coverage
The COSO framework provides a complete view of internal control by breaking it down into five key components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. This approach ensures that organizations consider various aspects of internal controls in a systematic manner.
Interconnected Components
The framework recognizes the interconnectedness of the five internal control components. It emphasizes that these components are similar, yet different, and work together to create a strong and effective internal control system. This unified approach reflects the dynamic and integrated nature of organizational processes.
Principles-Based Approach
Each of the five components encompasses a set of principles that provide guidance on implementing effective internal controls. These principles serve as a flexible and scalable framework, allowing organizations to tailor their internal control systems based on their specific needs and circumstances.
Adaptability to Change
The COSO framework is designed to be adaptable to changes in an organization’s environment. Whether an organization is undergoing growth or facing new risks, the COSO framework provides a structure that can be revised to accommodate these changes while maintaining the integrity of internal control.
Focus on Risk Management
The framework places a strong emphasis on risk management, acknowledging that organizations operate in dynamic and uncertain environments. By integrating risk assessment into the internal control processes, the COSO framework helps organizations identify, assess, and respond to risks that could impact their goals and objectives.
Global Recognition and Acceptance
The COSO framework has gained widespread recognition and acceptance globally. Many regulatory bodies refer to the COSO framework as a benchmark for assessing the effectiveness of internal controls. This global acceptance makes it a preferred choice for organizations aiming to align with widely recognized standards.
Continuous Improvement and Monitoring
The COSO framework recognizes the importance of ongoing monitoring and continuous improvement. Organizations should make it a priority to regularly assess and update their internal control systems to adapt to changing circumstances, ensuring that they remain effective over time.
Applicability Across Industries
The flexibility of the COSO framework allows it to be applied across various industries and sectors. Regardless of the type of entity, organizations can leverage the COSO framework as a guide for establishing and enhancing their internal controls.
Five Interrelated Internal Controls Components Using COSO Principles
Understanding the principles underlying the COSO framework is crucial for organizations to realize the full value and benefits of implementing this internal control model. Each component, along with its associated principles, contributes a vital element to the overall goal of providing an organization with reasonable assurance regarding the effectiveness of its internal controls. Let’s break down how each component plays a crucial role:
1. Control Environment
A robust Control Environment is essential for effective internal controls. The COSO Control Environment principles highlight the critical role of leadership, organizational culture, and ethical considerations. By understanding and prioritizing these elements, organizations can fortify their internal control systems and navigate the complex landscape of risk management with confidence.
2. Risk Assessment
The COSO framework’s Risk Assessment component plays the role of helping organizations proactively manage risks that could impact their objectives. The principles and practical applications of this component aid organizations in their ability to identify, analyze, and respond to risks strategically and promote a resilient and adaptive internal control environment.
3. Control Activities
At the heart of internal control lies the implementation of Control Activities. COSO’s Control Activities are the most essential elements for effective internal controls, providing organizations with a roadmap to safeguard assets, ensure financial integrity, and achieve compliance objectives. Organizations can fortify their internal control environment and navigate the complexities of the business landscape with confidence and resilience.
4. Information and Communication
Information and effective communication is the channel through which the power of internal controls are harnessed. COSO’s Information and Communication component serves as the backbone of effective internal controls, ensuring that information flows seamlessly, decisions are well-informed, and stakeholders are engaged. By strategically implementing the principles within this component, an organization can build a foundation of transparency, accountability, and resilience in their internal control environment.
5. Monitoring Activities
Monitoring Activities within the COSO framework serves as the watchdog of internal controls. Monitoring Activities are the eyes and ears of effective internal controls, ensuring that controls remain relevant, responsive, and resilient. Organizations can establish a comprehensive monitoring system that safeguards success in the face of evolving risks and challenges.
Let Us Guide You Forward
If you need internal control or single audit assistance, please contact our dedicated Government & Public Sector team, which is well-versed in the unique challenges Federal, state and local governments and public sector entities face. We have deep experience assisting government entities with a myriad of services, including audit, grants management, risk management, and much more.
